Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tsvika_Akerman
Employee
Employee
Jump to solution

R80.40 Early Availability Program @ Check Point Update

 

 

Picture6781.png

 

R80.40 EA Program 

R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V. 


Enrollment // Production EA

 

online.png

 

• We are looking for R80.X / R77.X Production environment to evaluate the new version.

• Start date: Started 

online4 - Copy.png

 

Public EA (for Lab/Sandbox use) is now also available!

  • Log into UserCenter and Select Try Our Products > Early Availability Programs
  • In PartnerMap, it is Learn > Evaluate > Early Availability Programs
  • NOTE: Upgrade from Public EA to GA is not supported

 

Additional questions? contact us@ EA_SUPPORT@checkpoint.com

What's New 

IoT Security

A new IoT security controller to:

  • Collect IoT devices and traffic attributes from certified IoT discovery engines (currently supports Medigate, CyberMDX, Cynerio, Claroty, Indegy, SAM and Armis). 
  • Configure a new IoT dedicated Policy Layer in policy management.
  • Configure and manage security rules that are based on the IoT devices' attributes.                      

TLS Inspection

HTTP/2

  • HTTP/2 is an update to the HTTP protocol. The update provides improvements to speed, efficiency and security and results with a better user experience. 
  • Check Point's Security Gateway now support HTTP/2 and benefits better speed and efficiency while getting full security, with all Threat Prevention and Access Control blades, as well as new protections for the HTTP/2 protocol.
  • Support is for both clear and SSL encrypted traffic and is fully integrated with HTTPS/TLS
  • Inspection capabilities.                      

TLS Inspection Layer

This was formerly called HTTPS Inspection. Provides these new capabilities:

  • A new Policy Layer in SmartConsole dedicated to TLS Inspection.
  • Different TLS Inspection layers can be used in different policy packages.
  • Sharing of a TLS Inspection layer across multiple policy packages.
  • API for TLS operations.

Threat Prevention

  • Overall efficiency enhancement for Threat Prevention processes and updates.
  • Automatic updates to Threat Extraction Engine.
  • Dynamic, Domain and Updatable Objects can now be used in Threat Prevention and TLS Inspection policies. Updatable objects are network objects that represent an external service or a known dynamic list of IP addresses, for example - Office365 / Google / Azure / AWS IP addresses and Geo objects.
  • Anti-Virus now uses SHA-1 and SHA-256 threat indications to block files based on their hashes. Import the new indicators from the SmartConsole Threat Indicators view or the Custom Intelligence Feed CLI.
  • Anti-Virus and SandBlast Threat Emulation now support inspection of e-mail traffic over the POP3 protocol, as well as improved inspection of e-mail traffic over the IMAP protocol.
  • Anti-Virus and SandBlast Threat Emulation now use the newly introduced SSH inspection feature to inspect files transferred over the SCP and SFTP protocols.
  • Anti-Virus and SandBlast Threat Emulation now provide an improved support for SMBv3 inspection (3.0, 3.0.2, 3.1.1), which includes inspection of multi-channel connections. Check Point is now the only vendor to support inspection of a file transfer through multiple channels (a feature that is on-by-default in all Windows environments). This allows customers to stay secure while working with this performance enhancing feature.

Access Control

Identity Awareness

  • Support for Captive Portal integration with SAML 2.0 and third party Identity Providers.
  • Support for Identity Broker for scalable and granular sharing of identity information between PDPs, as well as cross-domain sharing. 
  • Enhancements to Terminal Servers Agent for better scaling and compatibility.

IPsec VPN

  • Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This provides: 
    • Improved privacy - Internal networks are not disclosed in IKE protocol negotiations.
    • Improved security and granularity - Specify which networks are accessible in a specified VPN community.
    • Improved interoperability - Simplified route-based VPN definitions (recommended when you work with an empty VPN encryption domain).
  • Create and seamlessly work with a Large Scale VPN (LSV) environment with the help of LSV profiles.

URL Filtering

  • Improved scalability and resilience.
  • Extended troubleshooting capabilities.


NAT

  • Enhanced NAT port allocation mechanism - on Security Gateways with 6 or more CoreXL Firewall instances, all instances use the same pool of NAT ports, which optimizes the port utilization and reuse.
  • NAT port utilization monitoring in CPView and with SNMP.


Voice over IP (VoIP)

Multiple CoreXL Firewall instances handle the SIP protocol to enhance performance.


Remote Access VPN

Use machine certificate to distinguish between corporate and non-corporate assets and to set a policy  enforcing the use of corporate assets only. Enforcement can be pre-logon (device authentication only) or post-logon (device and user authentication).


Mobile Access Portal Agent

Enhanced Endpoint Security on Demand within the Mobile Access Portal Agent to support all major web browsers. For more information, see sk113410.


Security Gateway and Gaia

CoreX L and Multi-Queue

  • Support for automatic allocation of CoreXL SNDs and Firewall instances that does not require a Security Gateway reboot.
  • Improved out of the box experience - Security Gateway automatically changes the number of CoreXL SNDs and Firewall instances and the Multi-Queue configuration based on the current traffic load.

Clustering

  • Support for Cluster Control Protocol in Unicast mode that eliminates the need for CCP

Broadcast or Multicast modes.

  • Cluster Control Protocol encryption is now enabled by default.
  • New ClusterXL mode -Active/Active, which supports Cluster Members in different geographic locations that are located on different subnets and have different IP addresses.
  • Support for ClusterXL Cluster Members that run different software versions.
  • Eliminated the need for MAC Magic configuration when several clusters are connected to the same subnet.

VSX

  • Support for VSX upgrade with CPUSE in Gaia Portal.
  • Support for Active Up mode in VSLS.
  • Support for CPView statistical reports for each Virtual System


Zero Touch

A simple Plug & Play setup process for installing an appliance - eliminating the need for technical expertise and having to connect to the appliance for initial configuration.

Gaia REST API

Gaia REST API provides a new way to read and send information to servers that run Gaia Operating System. See sk143612.

Advanced Routing

  • Enhancements to OSPF and BGP allow to reset and restart OSPF neighboring for each CoreXL Firewall instance without the need to restart the routed daemon.
  • Enhancing route refresh for improved handling of BGP routing inconsistencies.


New kernel capabilities

  • Upgraded Linux kernel
  • New partitioning system (gpt):
  • Supports more than 2TB physical/logical drives
  • Faster file system (xfs)
  • Supporting larger system storage (up to 48TB tested)
  • I/O related performance improvements
  • Multi-Queue:
  • Full Gaia Clish support for Multi-Queue commands
  • Automatic "on by default" configuration
  • SMB v2/3 mount support in Mobile Access blade
  • Added NFSv4 (client) support (NFS v4.2 is the default NFS version used)
  • Support of new system tools for debugging, monitoring and configuring the system

 

CloudGuard Controller

  • Performance enhancements for connections to external Data Centers.
  • Integration with VMware NSX-T.
  • Support for additional API commands to create and edit Data Center Server objects.


Security Management

Multi-Domain Server

  • Back up and restore an individual Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server on one Multi-Domain Server to a different Multi-Domain Security Management.
  • Migrate a Security Management Server to become a Domain Management Server on a Multi-Domain Server.
  • Migrate a Domain Management Server to become a Security Management Server.
  • Revert a Domain on a Multi-Domain Server, or a Security Management Server to a previous revision for further editing.

SmartTasks and API

  • New Management API authentication method that uses an auto-generated API Key.
  • New Management API commands to create cluster objects.
  • Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.
  • SmartTasks - Configure automatic scripts or HTTPS requests triggered by administrator tasks, such as publishing a session or installing a policy.

Deployment

Central Deployment of Jumbo Hotfix Accumulator and Hotfixes from SmartConsole or with an API allows to install or upgrade multiple Security Gateways and Clusters in parallel.


SmartEvent

Share SmartView views and reports with other administrators.


Log Exporter

Export logs filtered according to field values.


Endpoint Security

  • Support for BitLocker encryption for Full Disk Encryption.
  • Support for external Certificate Authority certificates for Endpoint Security client
  • authentication and communication with the Endpoint Security Management Server.
  • Support for dynamic size of Endpoint Security Client packages based on the selected
  • features for deployment.
  • Policy can now control level of notifications to end users.
  • Support for Persistent VDI environment in Endpoint Policy Management.

 

online.png

 

83 Replies
MattG
Explorer

I have a customer using MEP to provide load-sharing and resilience across two physical Internet links in two geographically separate data centres for end users (i.e  not site-to-site).  It works really well, and you can clearly see the load balanced almost equally (within single-digits) with 2,000 users per site/cluster.  When one site fails (or is taken down for maintenance) all users just connect seamlessly to the remaining site with MEP.  This has been working for years on R77 and now R80.

0 Kudos
CSR
Contributor

IPsec VPN

  • Configure different VPN encryption domains on a Security Gateway that is a member of multiple VPN communities. This Option was much needed, looking forward to it. Thanks for including this change in R80.40. Alos, just wanted to confirm if SHA-512 is added for Hashing method inside S2S VPN configuration or not. Nowadays many of the Clients asking to use the SHA-512 for Integrity but its not available with Checkpoint yet (Till R80.30).

 

Thanks,

CSR

Steffen_Appel
Advisor

Since yesterday it is public EA.

0 Kudos
Timothy_Hall
Legend Legend
Legend

From the R80.40 release notes:

Application Control

  • Improved performance, diagnostics and monitoring tools.
  • Enchantment to Server Name Indicators (SNI) classifications.

Always thought SNI seemed like magic and finally we have confirmation!

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Garrett_DirSec
Advisor

hoho @Timothy_Hall .  you a funny man!! 

0 Kudos
Tsvika_Akerman
Employee
Employee

Hi All,

In order to release R80.40 we are looking for production sites that are willing to install this week!
we have release candidate and we are on the verge of final version.

Contact us directly at:  EA_SUPPORT@checkpoint.com
or enroll: https://www.surveymonkey.com/r/cp-ea-r8040-enrollment

genisis__
Leader Leader
Leader

Has anyone tested the backup and restore of an individual CMA?

 

0 Kudos
Daniel_Kavan
Advisor

Hi, Can a R80.30 or R80.20 manager manage an 80.40 EA gateway?   I'd like to bring up a production 5800 appliance but keep my main manager on a GA version.  I'm guessing the R80.40 manager will be under GA sooner than the gateway, but it seems like R80.40 EA, includes manager and gateway.

0 Kudos
Garrett_DirSec
Advisor

hello -- what you describe (production devices) is necessarily the private EA accessed via your local CP field engineers and onsite TLC. 

 

cp-ea1.jpg

Daniel_Kavan
Advisor

future planning question.   RE: gateway   Should R80.40 be stable with ext3 or is xfs required/strongly recommended?

0 Kudos
Timothy_Hall
Legend Legend
Legend

Stability should be about the same.  Considering how little the gateway normally hits its hard drive, I doubt it will make much of a performance difference.  XFS might be able to recover itself slightly better in the event of a power loss or crash, but that is about it.

A SMS/MDS on the other hand is a completely different story, and you most definitely want XFS due to heavy hard drive utilization.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
David_Moss
Employee
Employee

Hi Daniel,

Currently only R80.40 Management server can manage R80.40 GW.

Once R80.40 is GA it will be supported by next JHF for R80.20 & R80.30.

 

phlrnnr
Advisor

So, once the jumbo support is added to R80.30 management, would an R80.30 manager be able to manage a new pair of R80.40 gateways deployed in Active-Active cluster mode (eg. L3 clustering)?

0 Kudos
David_Moss
Employee
Employee

Hi,

Unfortunately Active-Active cluster requires  R80.40 management server, so at this stage you will not be able to use it unless upgrading the management server to R80.40.

0 Kudos
Daniel_Kavan
Advisor

RE: upgrade from R80.30 2.6.18 kernel to R80.40 3.10 kernel question for future planning

If you have a 5800 appliance (gateway only) that was recently formatted with ext3 (R80.30 running 2.6.18), and you plan to upgrade to R80.40 GA (once its out in March/April?) will you need to plan to re-format or can you simply count on a normal CPUSE upgrade the gateway to R80.40 GA?  And the kernel should change to 3.10 correct, no re-format necessary y/n?   

From what I can tell an upgrade will get me to R80.40 and 3.10, but if I want xfs, I'd need to re-format.

 

[Expert@fwl-box-03:0]# cat /etc/fstab
/dev/mapper/vg_splat-lv_current / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs defaults 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
/dev/mapper/vg_splat-lv_log /var/log ext3 defaults 1 2
LABEL=SWAP-sda2 swap swap defaults 0 0

 


[Expert@fwl-box-04:0]# cat /etc/fstab
/dev/mapper/vg_splat-lv_current / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs defaults 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
/dev/mapper/vg_splat-lv_log /var/log ext3 defaults 1 2
LABEL=SWAP-sda2 swap swap defaults 0 0

0 Kudos
Mattia_Varone
Participant

Hi,

 

will be possibile moves from a SMS 80.20 an let become it ad Domanin Management Server (CMA) in 80.40?

 

Regards

Mattia

0 Kudos
_Val_
Admin
Admin

@Mattia_Varone generally speaking, yes, you can migrate SMS to MDSM as a security domain server. Mind R80.40 public EA is for lab purposes though. If you want to move your production environment, you will have to wait till the release is out.

0 Kudos
Mattia_Varone
Participant
Hi Val,
thanks for your reply. So the issue described in the sk122700, will be solved in 80.40?
Thanks
Mattia
0 Kudos
_Val_
Admin
Admin

Oh, I see... let me check with R&D, it might be my answer was not correct, as it is not applicable to R80.30 and below, apparently.

0 Kudos
Mattia_Varone
Participant
Thanks, I'm waiting your update.
I hope will be possible move from a Security Management Server 80.40 to become a Domain Management Server on a Multi-Domain Server 80.40
Regards
Mattia Varone
0 Kudos
Eran_Habad
Employee
Employee

Hi @Mattia_Varone, my name is Eran and I'm the R&D manager in Check Point responsible for the core of the Management server. In R80.40 we implemented the ability to do the following:

  • Backup and restore an individual Domain.
  • Migrate Domain to another Multi Domain Server.
  • Migrate a SmartCenter machine to a Domain on a Multi Domain Server (and vice versa).

All those abilities are included and available as part of the public EA of R80.40, more info could be found on the EA version of the Management API reference for R80.40, but note some of the SKs which appear as reference are still internal and will be released once R80.40 is out.

We plan to make those abilities available as part of the JHF of R80.20 and R80.30 soon and we're actually looking for customers who would like to take part in testing the Domain migration feature as part of JHF. Please contact me directly if it's relevant for you - would be great!

_Val_
Admin
Admin

@Eran_Habad thanks for your answer

Mattia_Varone
Participant
Thanks for your support
Mattia_Varone
Participant
Thanks Eran for your answer
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events